zzz.i2p

Development discussions
ACME support in the `reseed-tools` « Reseeding « I2P Development
 
Wed, 12 May 2021, 02:49am #1
idk
I2P Legend

I have added experimental support for automatic TLS Certificate generation via Let's Encrypt or other ACME certificate providers in the acme branch of reseed-tools. Everything appears to work on the Let's Encrypt staging server: https://acme-staging-v02.api.letsencrypt.org/directory, and I'd like to have some help testing it. To build the acme branch,:

First: Clone it

git clone https://i2pgit.org/idk/reseed-tools -b acme

Next: Build it

cd reseed-tools && make build

Finally: Try it

./reseed-tools reseed --netdb ~/.i2p/netDb --signer gnitset@clearnetmail.com --tlsHost domain.tld --acme

The UI is intended to be minimal, you pass the `--acme` flag to enable the protocol, and you set the --acmeserver flag to the URL of the provider you want to use. Right now it defaults to the staging server, to use it in production set --acmeserver to `https://acme-v01.api.letsencrypt.org/directory`

./reseed-tools reseed --netdb ~/.i2p/netDb --signer gnitset@clearnetmail.org --tlsHost domain.tld --acme --acmeserver "https://acme-v01.api.letsencrypt.org/directory&...;

To skip the prompts, such as for automation purposes, pass the `--yes`

./reseed-tools reseed --netdb ~/.i2p/netDb --signer gnitset@clearnetmail.org --tlsHost domain.tld --acme --acmeserver "https://acme-v01.api.letsencrypt.org/directory&...; --yes

Certificate renewal is automatic. When you restart your reseed server within 2 days of expiry, the reseed server will automatically ask to renew the certificate. There is no manual "Renew" command.

If you want to try it with an `.onion` domain, the certificate will be invalid for the domain, but it will contain the information required to verify the clearnet side of the reseed server. Hypothetically, this would allow clearnet reseed domains to associate themselves with an `.onion` domain for trust purposes.

./reseed-tools reseed --netdb ~/.i2p/netDb --signer gnitset@clearnetmail.org --tlsHost domain.tld --acme --acmeserver "https://acme-v01.api.letsencrypt.org/directory&...; --onion --yes